IdentityNow LCM state chaging user email notification - and LCM email template

Identity Security Cloud (ISC) ISC Discussion and Questions
1

Hi,
IdentityNow LCM user state allows making an email notification to be sent to a user manager and/or to a dedicated team email mailbox.

Any way to notify the identity itself (user) when user identity has been switched to the new LCM state?

Email templates disallow a customisation of To field.

Any way to notify the identity itself (user) when user identity has been switched to the new LCM state?

Email templates disallow a customisation of To field.

$(user.email) global var cannot be used in Identity Profile Provisioning LCM settings.

Normally we do have it in the IDM world. For example when the user contract or employee working agreement is going to the end date, common (and best) practive last 20 years was to send a notification in advance to the user by email that his company account(s)/access/bla bla is going to be ended on dd.MM.YY (equal to employee last working day or termination date or end date) with advice to contact his manager. It is especially important nowadays when many companies prefer to have people as short and long term contractors and not as a full staff.

Simultaneously similar email typically should typically send to the user line manager with a reference to the user. This part email notification is present out-of-of, but for the user themself notification - is not.

Any workarounds?

2

Hi @kenilelk1,

Unfortunately our notifications service has very limited capabilities and customization options at this time, but we are building out an engineering team that will revamp our notifications service to make it much more customizable. To help this new team understand the use cases that customers like you want to see, can you please submit this as an idea to our ideas portal? This is the best way for customers to suggest new functionality to our platform and see the progress that their feature requests are making. If you could link your idea back in this post, then other people reading this post who want the same functionality can vote for your idea.

1 Like
3

There is a workaround that you can employ until this feature is made available. We have an event trigger called Identity Attributes Changed that will notify a subscriber anytime an attribute on an identity has changed. You can subscribe to this event trigger and use the following filter to only receive events when the cloud lifecycle state of an employee has changed:

$.changes[?(@.attribute == "cloudLifecycleState")]

The result of this trigger and filter will look like this:

{
  "_metadata": {
    "invocationId": "b50e98ff-b9a6-4ba0-963d-f544535f448c",
    "triggerId": "idn:identity-attributes-changed",
    "triggerType": "fireAndForget"
  },
  "changes": [
    {
      "attribute": "cloudLifecycleState",
      "newValue": "mover",
      "oldValue": "active"
    }
  ],
  "identity": {
    "id": "2c918087796ba069017980dd01491494",
    "name": "jack.ryan",
    "type": "IDENTITY"
  }
}

You can then find the email address of the affected identity by using the public identities endpoint and supplying the identity ID from the event in the filter query parameter. It would look like GET https://{tenant}.api.identitynow.com/v3/public-identities?filters=id%20eq%20'2c918087796ba069017980dd01491494'. This will return details about the identity, including their email address.

All of these steps can be performed by writing a script in Python or Powershell, but you can also use our Workato or Zapier apps to make this process much easier. If you want to pursue either route, please don’t hesitate to reach out to me if you get stuck.

5 Likes